For August, a ‘complex’ Patch Tuesday with 111 updates

Microsoft’s August Patch Tuesday release offers a rather complex set of updates, with 111 fixes affecting Windows, Office, SQL Server and Exchange Server — and several “Patch Now” recommendations. 

Publicly disclosed vulnerabilities in Windows Kerberos (CVE-2025-53779) and Microsoft SQL Server (CVE-2025-49719) require immediate attention. In addition, a CISA directive about a severe Microsoft Exchange vulnerability (CVE-2025-53786) also requires immediate attention  for government systems. And Office is on the “Patch Now” update calendar due to a “preview pane” vulnerability (CVE-2025-53740). 

Thankfully, Microsoft’s browsers and development platform (Visual Studio) can be added to a standard release cadence. 

To help navigate these changes, the team from Readiness crafted a helpful infographic detailing the risks of deploying updates to each platform. (More information about recent Patch Tuesday releases is available here.)

Known issues 

Unusually, this month’s known issues do not cover Windows, but rather two Microsoft server products: 

Microsoft Exchange Server: The Edge Transport service (EdgeTransport.exe) stops responding and then restarts. For more information and a workaround, see Edge Transport service stops responding after installing November 2024 SU or Exchange 2019 CU15.

Microsoft SharePoint Server: After you install this update, you might experience an issue when you configure calendar overlay settings. For more information, see “Invalid EWS URL: ” error in Overlay settings in CalendarService.ashx (KB5064829). (No, that’s  not a typo, but the real title of this Microsoft Knowledge Base (KB) article.)

Major revisions and mitigations

There are more than the usual number of updates and changes to existing patches, recommendations and remediations this month. We distilled this long list to just the changes that require developer/administrator attention as opposed to more informational or documentation changes:

CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability. Microsoft released new information on an Elevation of Privilege (EoP) vulnerability that was not addressed by recent security changes as documented in the April 18 Exchange Team blog post.

CVE-2022-41089: .NET Framework Remote Code Execution Vulnerability. Microsoft had published a number of technical workarounds for this vulnerability in .NET. Please note that if you used any workaround or mitigations for this issue, they are no longer needed; Microsoft recommends you remove them. To do so, see the instructions in the “Alternative Workaround” section of KB5022083.

CVE-2024-29187: GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM. Microsoft added Windows version 1607 to the affected system table, so we added this to our updated CVE list (recognizing that 1607 is a very old build). But the packages generated on this legacy build are still in circulation.

Windows lifecycle and enforcement updates

The company didn’t publish any enforcement updates, but the following Microsoft products are nearing their end of service life cycles:

Support for Windows Server 2008 will end in January 2026.

Windows Server 2008 Premium Assurance will end on Jan. 13, 2026.

Though no surprise to some, Microsoft will remove PowerShell 2.0 from Windows starting this month, eight years after announcing its deprecation and keeping it around as an optional feature. 

As always, the Readiness team analyzed Microsoft’s latest updates and provides technically sound, actionable testing plans. August’s release brings updates to core Windows components, with significant changes affecting printing subsystems and remote desktop authentication. Two components have been designated as high-risk and warrant immediate attention: the Printing Subsystem and Remote Desktop Authentication components.

For this testing guide, we grouped Microsoft’s updates by Windows feature and accompanied each section with prescriptive test actions and rationales to help prioritize enterprise validation efforts.

Core OS and printing

Microsoft updated core kernel components affecting Windows as a whole, including kernel and system drivers. The printing subsystem update carries high risk necessitating immediate validation. These low-level system changes can affect system stability and printing functionality across the enterprise. We recommend the following testing approach:

Apply the security updates and reboot the system.

Test various print scenarios, including printing from 32-bit applications.

Run scenarios to test that Win32 applications properly render text content.

Use Kernel Transaction Manager to create, roll back, migrate, and dispatch transactions.

Test transaction NTFS scenarios.

Remote Desktop and network connectivity

This month’s updates significantly affect remote desktop authentication and network connectivity components. The updates to Microsoft Active Directory authentication are marked as high-risk and affect both Azure AD and traditional Active Directory authentication scenarios. Low-level network socket functionality has also been updated. We recommend testing of the following areas:

Authentication scenarios for AD/AAD-joined devices

Test RDP logins using Azure AD token (interactive login), NTLM credentials and Kerberos.

Validate RDP login via Remote Desktop Gateway (RDGW) using AD credentials.

Ensure correct RDP session timeout and auto-reconnect behavior.

Validate credential caching and re-authentication prompts using Connect → Disconnect → Reconnect → Logoff → Login testing cycles.

Trigger and verify MFA challenges during RDP login.

Network connectivity testing

Transmit UDP packets to IPv4 and IPv6 address structures and create UDP sockets with Winsock library, bind and unbind with IP addresses.

Send and receive large packets over the network using IPv6. Test using large files.

Establish multiple concurrent TCP connections using Winsock APIs and verify clean termination.

Filesystem and storage

Updates to core filesystem components, including ntfs.sys and cldflt.sys, require validation to ensure file system operations continue to function properly. Directory querying functionality has been specifically updated and requires targeted testing:

Test directory querying related scenarios with DOS (i.e. short) file names.

Apply test scenarios where your internal or line-of-business applications access SMB servers.

Test applications that use .lnk files, specifically mentioning the TargetPath in the LNK file properties.

Media and codecs

Microsoft updated media handling components affecting video playback and image processing capabilities. These updates require validation across different media scenarios:

Play videos or watch TV/movies with subtitles on Blu-ray using Microsoft Media Foundation — subtitles should appear as expected. (I suggest Buckaroo Banzai.)

Embed JPEG images in Visio and other Office documents.

Take pictures and record video with the Camera app.

Application deployment and infrastructure

Updates to Windows Installer and App Silos functionality require validation to ensure app installs function as expected. We suggest the tests:

Install, uninstall, rollback and repair MSI Installer files.

Test App Silos feature scenarios using silo apps that perform filesystem access.

Verify no memory leaks when the BFS driver is invoked using “sc start bfs / sc stop bfs commands.”

Routing and Remote Access Service (RRAS)

Significant updates to RRAS components require a full test of functionality:

Perform normal operations on the RRAS management console if RRAS is installed on a server.

Set up RIP (Routing Information Protocol) on a remote machine and clear the “SpecialInterfaceName” flag.

Perform configuration or viewing operations using the management console for both local and remote installations.

Test different property pages (DHCP, NAT, RIP, IGMP, BOOTP) to ensure they show correct information for valid configurations.

Test invalid configurations to ensure they are handled correctly (by not opening the respective page/tab or showing an error dialog).

Virtualization and development platforms

The August updates to Microsoft’s virtualization and development platform require validation across multiple scenarios:

Establish PSDirect (PowerShell Direct) service and enable enhanced session in VMConnect, perform VM resets.

Open remote sessions on devices with no proprietary driver installed and test applications such as Calculator and Notepad.

Test apps that use nearby sharing functionality (Settings > System > Nearby sharing).

Test scenarios using Active Directory components, such as Active Directory Certificate Service and LDAP.

The team recommends prioritizing remote desktop authentication testing this month, particularly around Azure AD integration scenarios, leading onto printing subsystem validation and ensuring that your RRAS configurations continue to function. Pay special attention to the high-risk components identified in this release, as any regressions could significantly hit enterprise remote access and printing capabilities.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge);

Microsoft Windows (both desktop and server);

Microsoft Office;

Microsoft SQL Server;

Microsoft Exchange; 

Microsoft Developer Tools (Visual Studio and .NET);

Adobe (if you get this far).

Browsers

Microsoft released 10 updates to its browser platforms, all of them rated important. Eight of the patches are Chromium updates, with the remaining two for Microsoft Edge. All of these low-profile changes can be added to your standard release calendar.

Windows

The following Windows product areas have been updated with six critical patches, 60 rated important and one update rated as moderate:

Windows GDI+, Graphics and DirectX Kernel.

Microsoft Message Queuing (MSMQ).

Windows NTLM and Hyper-V.

Windows Kerberos.

Unfortunately, the Kerberos update (CVE-2025-53779) has been publicly disclosed leading to a “Patch Now” recommendation.

Microsoft Office

A larger-than-usual set of updates for Microsoft Office this month includes five patches (CVE-2025-5373, CVE-2025-53733 CVE-2025-53784, CVE-2025-53740, CVE-2025-53766, and CVE-2025-53784) rated critical and 13 updates rated important. Unfortunately, CVE-2025-53740 has a preview pane vulnerability leading to a “Patch Now” recommendation for Office. 

Microsoft SQL Server

Microsoft released five updates rated important to Microsoft SQL Server (CVE-2025-49758, CVE-2025-53727, CVE-2025-24999, CVE-2025-49759 and CVE-2025-47954). In addition, a patch from July (CVE-2025-49719) has been updated by Microsoft due to public disclosure. Add these updates to your “Patch Now” plan.

Microsoft Exchange Server

One of the primary points of focus for both testing and rapid deployment involves Microsoft Exchange Server. Five patches were released, and while all are rated as important, we believe that they should receive immediate attention. The primary factor: the latest directive from CISA detailing the active exploitation of CVE-2025-53786, which directly affects hybrid Exchange environments. It looks like government implementations are both particularly susceptible and actively targeted. Add this update to your “Patch Now” schedule.

Developer tools

Microsoft released two updates for its development platform, (CVE-2025-53772 and CVE-2025-53773) affecting Visual Studio and Microsoft’s Web Deploy tools. Add these low-profile updates to your standard release calendar.

Adobe (and third-party updates)

No updates this time from Microsoft for Adobe products. And the only third-party product updates were for Chromium — which don’t really count. So, I will use this space to apologise for having separate sections for Microsoft SQL and Exchange Server. It’s a lot for anybody. Luckily, I didn’t have to add an extra section for SharePoint server — that would be bad.Questionable AI work habits rampant among US firms – ComputerworldRead More